refactor(all): complete rework of the repo

Moving to a recipeless way of doing things
This commit is contained in:
Philippe Caseiro 2023-06-09 12:17:09 +02:00
parent b13a5e892f
commit 351f693775
13 changed files with 109 additions and 123 deletions

View File

@ -1,41 +1,13 @@
IMAGE_NAME := reg.cadoles.com/cadoles/sp
################################
# Makefile for Cadoles SP
################################
IMAGE_REPO := reg.cadoles.com/cadoles
IMAGE_NAME := sp
IMAGE_FULL_NAME := $(IMAGE_REPO)/$(IMAGE_NAME)
IMAGE_VERSION := 0.1.0
DOCKERFILE ?=
DAY_SUFFIX_TAG ?= $(shell date +%Y%m%d)
build:
_build:
docker \
build \
-t "$(IMAGE_NAME):$(IMAGE_TAG)" \
-f $(DOCKERFILE) \
.
scan:
_scan: tools/trivy/bin/trivy
mkdir -p .trivy/$(IMAGE_NAME)/$(IMAGE_TAG)
tools/trivy/bin/trivy --cache-dir .trivy/.cache image -o ".trivy/$(IMAGE_NAME)/$(IMAGE_TAG)/report.txt" $(TRIVY_ARGS) $(IMAGE_NAME):$(IMAGE_TAG)
cat ".trivy/$(IMAGE_NAME)/$(IMAGE_TAG)/report.txt"
tools/trivy/bin/trivy:
mkdir -p tools/trivy/bin
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.27.1
release:
_release:
docker tag $(IMAGE_NAME):$(IMAGE_TAG) $(IMAGE_NAME):$(IMAGE_TAG)-$(DAY_SUFFIX_TAG)
docker push $(IMAGE_NAME):$(IMAGE_TAG)-$(DAY_SUFFIX_TAG)
docker push $(IMAGE_NAME):$(IMAGE_TAG)
_test: tools/bin/bash_unit
tools/bin/bash_unit ./tests/test_$(IMAGE_TAG).sh
tools/bin/bash_unit:
mkdir -p tools/bin
cd tools/bin && bash <(curl -s https://raw.githubusercontent.com/pgrange/bash_unit/master/install.sh)
include recipes/*.mk
include main.mk

View File

@ -1,14 +0,0 @@
FROM reg.cadoles.com/proxy_cache/library/alpine:edge
#FROM reg.cadoles.com/proxy_cache/library/httpd:alpine3.18
# Adding testing repo
RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
RUN apk update && apk add apache-mod-auth-openidc
COPY conf.d/mod-auth-openidc.conf /etc/apache2/conf.d/mod-auth-openidc.conf
COPY conf.d/default-vhost.conf /etc/apache2/conf.d/default-vhost.conf
COPY scripts/httpd-foreground /usr/local/bin/
CMD ["httpd-foreground"]

View File

@ -1,14 +0,0 @@
LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCProviderMetadataURL ${SP_OIDC_PROVIDER_METADATA_URL} #http://portal.mse.local:8000/auth/.well-known/openid-configuration
OIDCClientID ${SP_OIDC_CLIENT_NAME} #mse
OIDCClientSecret ${SP_OIDC_CLIENT_SERCRET} #$mse&123456$
OIDCProviderTokenEndpointAuth client_secret_basic
OIDCCookieSameSite On
OIDCSessionType client-cookie
OIDCXForwardedHeaders X-Forwarded-Host
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI ${SP_OIDC_REDIRECT_URI} #http://portal.mse.local:8000/protected/redirect_uri
OIDCCryptoPassphrase ${SP_OIDC_CRYPTO_PASSPHRASE} #$mse&123456$
OIDCOAuthAcceptTokenAs header
OIDCUnAutzAction 302 ${SP_OIDC_ERROR_URI} #http://portal.mse.local:8000/erreur?msg=mod_auth_fail

View File

@ -4,11 +4,17 @@ FROM reg.cadoles.com/proxy_cache/library/alpine:edge
# Adding testing repo
RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
RUN apk update && apk add apache-mod-auth-openidc
RUN apk update && apk add apache-mod-auth-openidc apache2-ssl
RUN mkdir -p /var/www/html
COPY files/alpine/sp-oidc/base/conf.d/mod-auth-openidc.conf /etc/apache2/conf.d/mod-auth-openidc.conf
COPY files/alpine/sp-oidc/base/conf.d/default-vhost.conf /etc/apache2/conf.d/default-vhost.conf
COPY files/alpine/sp-oidc/base/scripts/httpd-foreground /usr/local/bin/
RUN chmod +x /usr/local/bin/httpd-foreground
RUN mkdir -p /var/www/html
RUN chown apache:apache /var/www/html
CMD ["httpd-foreground"]
SHELL ["/bin/sh", "-c"]
CMD ["/usr/local/bin/httpd-foreground"]

View File

@ -0,0 +1,14 @@
LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCProviderMetadataURL ${SP_OIDC_PROVIDER_METADATA_URL}
OIDCClientID ${SP_OIDC_CLIENT_NAME}
OIDCClientSecret ${SP_OIDC_CLIENT_SECRET}
OIDCProviderTokenEndpointAuth client_secret_basic
OIDCCookieSameSite On
OIDCSessionType client-cookie
OIDCXForwardedHeaders X-Forwarded-Host
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI ${SP_OIDC_REDIRECT_URI}
OIDCCryptoPassphrase ${SP_OIDC_CRYPTO_PASSPHRASE}
OIDCOAuthAcceptTokenAs header
OIDCUnAutzAction 302 ${SP_OIDC_ERROR_URI}

78
main.mk Normal file
View File

@ -0,0 +1,78 @@
IMAGES_DIR := ./files/images
#
# $1: IMAGE_NAME
# $2: IMAGE_TAG
#
define build_image
echo "Building ${IMAGE_REPO}/$1";\
docker build \
-t "${IMAGE_REPO}/$1:$2" \
-f ${IMAGES_DIR}/$1/$2/Dockerfile \
.
endef
#
# $1: IMAGE_NAME
# $2: IMAGE_TAG
#
define scan_image
echo "Scanning ${IMAGE_REPO}/$1"; \
mkdir -p .trivy/$(IMAGE_REPO)/$1/$2; \
tools/trivy/bin/trivy --cache-dir .trivy/.cache image -o ".trivy/$(IMAGE_REPO)/$1/$2/report.txt" $(TRIVY_ARGS) $(IMAGE_REPO)/$1:$2 ; \
cat ".trivy/$(IMAGE_REPO)/$1/$2report.txt"
endef
define install_trivy
mkdir -p tools/trivy/bin ; \
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.27.1
endef
define release_image
docker tag $(IMAGE_REPO)/$1:$2 $(IMAGE_REPO)/$1:$2-$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG) ; \
docker tag $(IMAGE_REPO)/$1:$2 $(IMAGE_REPO)/$1:$2-$(IMAGE_VERSION); \
docker tag $(IMAGE_REPO)/$1:$2 $(IMAGE_REPO)/$1:$2-latest ; \
docker push $(IMAGE_REPO)/$1:$2-$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG) ; \
docker push $(IMAGE_REPO)/$1:$2-$(IMAGE_VERSION) ; \
docker push $(IMAGE_REPO)/$1:$2-latest
endef
#list:
build: ${IMAGES_DIR}/*
@for name in $(basename $(notdir $^)); do \
$(call build_image,$${name},base); \
done;\
scan: ${IMAGES_DIR}/*
$(call install_trivy)
@for name in $(basename $(notdir $^)); do \
$(call scan_image,$${name},base); \
done;\
tools/trivy/bin/trivy:
mkdir -p tools/trivy/bin
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.27.1
release: ${IMAGES_DIR}/*
@for name in $(basename $(notdir $^)); do \
$(call release_image,$${name},base); \
done;\
_release:
docker tag $(IMAGE_FULL_NAME):$(IMAGE_TAG) $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG)
docker tag $(IMAGE_FULL_NAME):$(IMAGE_TAG) $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)
docker tag $(IMAGE_FULL_NAME):$(IMAGE_TAG) $(IMAGE_FULL_NAME):$(IMAGE_TAG)-latest
docker push $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG)
docker push $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)
docker push $(IMAGE_FULL_NAME):$(IMAGE_TAG)-latest
_test: tools/bin/bash_unit
tools/bin/bash_unit ./tests/test_$(IMAGE_TAG).sh
tools/bin/bash_unit:
mkdir -p tools/bin
cd tools/bin && bash <(curl -s https://raw.githubusercontent.com/pgrange/bash_unit/master/install.sh)
##include recipes/*.mk

View File

@ -1,28 +0,0 @@
build: build-alpine-sp-oidc-base
build-alpine-sp-oidc-base:
$(MAKE) \
IMAGE_TAG=alpine-sp-oidc-base \
DOCKERFILE=files/alpine/sp-oidc/base/Dockerfile \
_build
scan: scan-alpine-sp-oidc-base
scan-alpine-sp-oidc-base:
$(MAKE) \
IMAGE_TAG=alpine-sp-oidc-base \
_scan
release: release-alpine-sp-oidc-base
release-alpine-sp-oidc-base:
$(MAKE) \
IMAGE_TAG=alpine-sp-oidc-base \
_release
test: test-alpine-sp-oidc-base
test-alpine-sp-oidc-base:
$(MAKE) \
IMAGE_TAG=alpine-sp-oidc-base \
_test

View File

@ -1,28 +0,0 @@
build: build-debian-sp-shib-base
build-debian-sp-shib-base:
$(MAKE) \
IMAGE_TAG=debian-sp-shib-base \
DOCKERFILE=files/debian/sp-shib/base/Dockerfile \
_build
scan: scan-debian-sp-shib-base
scan-debian-sp-shib-base:
$(MAKE) \
IMAGE_TAG=debian-sp-shib-base \
_scan
release: release-debian-sp-shib-base
release-debian-sp-shib-base:
$(MAKE) \
IMAGE_TAG=debian-sp-shib-base \
_release
test: test-debian-sp-shib-base
test-debian-sp-shib-base:
$(MAKE) \
IMAGE_TAG=debian-sp-shib-base \
_test